[xmlsec] 'xmlSecKeyDataXmlRead' question about X509 certificates

Aleksey Sanin aleksey at aleksey.com
Wed Jun 11 07:42:11 PDT 2008


Sure, you are right. When I wrote the code I assumed that it is
easier to just lookup the certificate multiple times. It does
not affect the signature verification process.

Aleksey

Frank Gross wrote:
> Hi,
> 
>  I use the 'xmlSecKeyDataXmlRead' and 'xmlSecKeyDataXmlWrite' functions 
> to save and load X509 certificate in XML, but I get a strange behavior.
> 
> When I write my certificate stored in the xmlSecKeyDataPtr section of 
> the xmlSecKeyPtr, everything is ok, and I get the following XML (Notice 
> that I want the SubjectName an IssuerSerial to be present):
> 
> <?xml version="1.0" encoding="UTF-8" standalone="no"?>
> <dsig:X509Data xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">  
> <dsig:X509Certificate>MIIDHTCCAt0CAQEwCQYHKoZIzjgEAzB6MQswCQYDVQQGEwJGUjEPMA0GA1UECBMGRnJhbmNlMRUwEwYDVQQHEwxTY2hpbHRpZ2hlaW0xDDAKBgNVBAoTAzRKUzEjMCEGA1UECxMaRm91ciBKJ3MgRGV2ZWxvcG1lbnQgVG9vbHMxEDAOBgNVBAMTB2RzYXJvb3QwHhcNMDgwNjA1MTMwMDI1WhcNMTgwNjAzMTMwMDI1WjB2MQswCQYDVQQGEwJGUjEPMA0GA1UECBMGRnJhbmNlMRUwEwYDVQQHEwxTY2hpbHRpZ2hlaW0xDDAKBgNVBAoTAzRKUzEjMCEGA1UECxMaRm91ciBKJ3MgRGV2ZWxvcG1lbnQgVG9vbHMxDDAKBgNVBAMTA2RzYTCCAbcwggEsBgcqhkjOOAQBMIIBHwKBgQCvfbNJkDmPgfY1AkKjmRL+VJVaEpPwKzh8DqeGHw1JWsYN4NJf3rMNllirBCi2x8eGQvMMWAj7fSVK1PqrS9JukDLLbG+KJvXLTV14GfOS6r4aIasWErHPfpPHsBOYZ1s6jJlxFDdx7tJ4GgEhkJCMEJhEMT2MKxKzQdGxo0G9iwIVAODmx7JjZo0gBYr/8en+fR9f0phpAoGBAKzpjrrNlrz8/4pawEMEMnxKHMqqJGAak2Fyu4F8VW41ZULGGaLWulqPK5OVkve/+ZHrsxG3Uieyp7BOlhyVpuIt3XmCZ2WGdAv2NPAdw7RDcyQJE1KmgN0hrXHFs5oa5jxlVEOkq12JFJqNov8StlkxoPML/96kQczSm22hN4V+A4GEAAKBgHqtp0BncScT9M9/uzpCApR33m+SfQOWomYVqd177fz17O6vnFmtRM0V6sRMs0Fi+cVaa8zEcASbuJ3sGRZo2qNjXMeAg6Vm368XNKwtV3O39hvtOdO/b/HaU53oG4CEWi9koNRked4grQRxjFjab
GJaMaXYO91KsaMnWoe3ijldMAkGByqGSM44BAMDLwAwLAIUK+PpNxfdEvV9ePeTt5zfDPS8NAoCFDC6gUfseNz6IYkJ0k1lurDSx9UN</dsig:X509Certificate> 
> 
>  <dsig:X509SubjectName>CN=dsa,OU=Four J's Development 
> Tools,O=4JS,L=Schiltigheim,ST=France,C=FR</dsig:X509SubjectName>
>  <dsig:X509IssuerSerial>
>    <dsig:X509IssuerName>CN=dsaroot,OU=Four J's Development 
> Tools,O=4JS,L=Schiltigheim,ST=France,C=FR</dsig:X509IssuerName>
>    <dsig:X509SerialNumber>1</dsig:X509SerialNumber>
>  </dsig:X509IssuerSerial>
> </dsig:X509Data>
> 
> 
> Then when I read it back with 'xmlSecKeyDataXmlRead', and if flag 
> XMLSEC_KEYINFO_FLAGS_X509DATA_STOP_ON_UNKNOWN_CERT is set, I must set 
> the certificate in the key store to allow the system to find the real 
> certificate corresponding to X509SubjectName, and to X509IssuerSerial. 
> And that's OK for me too.
> 
> But the strange thing is that when the function returns, I have 3 
> certificates in the xmlSecKeyData part of the xmlSecKeyPtr. I was 
> expecting only one certificate, because all entries of the X509Data 
> represent the same certificate. I investigated a bit, and found out that 
> the 'xmlSecOpenSSLX509DataNodeRead' function looks for the certificate 
> in the key store in case of X509SubjectName and X509IssuerSerial. But 
> shouldn't it first check in the data part of the xmlSecKeyPtr it is 
> currently reading, if there is already a certificate that could match ?
> 
> Actually, the problem is that I write one certificate, but when I read 
> it back, I have 3 times the same certificate.
> 
> 
> Regards,
> 
> Frank
> 
> 
> 
> 
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec



More information about the xmlsec mailing list